Mom holding daughter in a field of corn

Health Privacy

At Blue Cross and Blue Shield of Nebraska, maintaining the privacy of your protected health information (also called PHI) is very important to us. This document provides you with important information about how we use and disclose your PHI and how you can access it. PLEASE READ THIS INFORMATION CAREFULLY.

PHI means information about you that is unique to you, including your name, address, telephone number, and Social Security Number. It’s also health information that we have gotten from you or from hospitals, doctors, other health care providers, health insurance companies, your employer and health care information clearinghouses related to:

  • your past, present or future physical or mental health or condition;
  • the delivery of health care to you; or
  • past, present or future payment for health care services you receive.

This Notice of Privacy Practices document describes how Blue Cross and Blue Shield of Nebraska may use and/or disclose your PHI. It also describes the rights you have regarding your PHI. In this notice, “you” refers to you, our customer, and your covered family members. “We” means Blue Cross and Blue Shield of Nebraska.

We are required by federal and state laws to maintain the privacy of your PHI. We are also required to provide you with this notice about our privacy practices, our legal duties, and your rights concerning your PHI. We must follow the privacy practices described in this notice. These privacy practices will remain in effect until we replace or revise them.

We reserve the right to change our privacy practices as described in this document at any time, provided it is permitted by law. We may make changes to our PHI privacy practices, including PHI that we received or created before the change was made. Before we make a significant change in our privacy practices, we will revise this notice and send it to you.

You may have additional privacy rights under state law. State laws that provide greater privacy protection or rights will continue to apply.

You may also request a printed copy of our Notice of Privacy Practices (also available in Spanish Aviso de Prácticas de Privacidad) at any time. For more information about our privacy practices, or for additional copies of this notice, please contact us.

How We Use and Disclose Your PHI

In order to administer our health care plans effectively, we will collect, use and disclose PHI for certain types of activities, including benefit payment and health care operations. The following is a description of how we may use and/or disclose PHI about you for payment and health care operations:

We do not conduct treatment activities. However, we may disclose your PHI to doctors, hospitals, and other health care providers who request it in connection with your treatment.

We may use and disclose your PHI for all activities that are included within the HIPAA* Privacy Rule’s definition of “payment.” For example, we may use or disclose your PHI to pay claims from doctors, hospitals, pharmacies and others for services delivered to you that are covered by your health plan, to determine your eligibility for benefits, to coordinate benefits, to examine medical necessity, to obtain premiums, and to issue Explanations of Benefits. We have not listed here all of the activities included within HIPAA’s definition of “payment,” so please refer to the HIPAA Privacy Rule for a complete list. More information about HIPAA and the Privacy Rule may be found  here.

We may use and/or disclose your PHI for all activities that are included within the HIPAA Privacy Rule’s definition of “health care operations.” For example, we may use and/or disclose your PHI to determine the premium for your health plan, to conduct quality assessment and improvement activities, to credential health care providers, to engage in care coordination or case management, and/or to manage our business. We have not listed here all of the activities included within the definition of “health care operations,” so please refer to the HIPAA Privacy Rule for a complete list. NOTE: We will not use or disclose your genetic information, including family history, for underwriting purposes.
In connection with benefit payment and health care operations activities, we contract with individuals and entities (called “business associates”) to perform various functions on our behalf or to provide certain types of services (such as member service support, utilization management, subrogation, or pharmacy benefit management). To perform these functions or to provide the services, business associates will receive, create, maintain, use, or disclose PHI, but only after the business associates agree to appropriately safeguard your information.

We may use and/or disclose your PHI to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with their payment activities and certain other health care operations. For example, we may disclose your PHI to a health care provider when it is needed to treat you, or we may disclose PHI to another covered entity to conduct health care operations in the areas of quality assurance and improvement activities, or accreditation, certification, licensing or credentialing.

For more information about covered entities, please visit the following links:

Are You a Covered Entity?

If you need help determining if you are interacting with a Covered Entity, please refer to the CMS Covered Entity Decision Tool: Covered Entity Decision Tool.

If you provide us with verbal permission, we may disclose the PHI you specify to a family member, another relative, a close friend or any other individual you have identified as being involved in your health care. This verbal permission is valid for one encounter and is not a substitute for written authorization. If you are not present or able to agree to these disclosures of your PHI due to a situation such as a medical emergency or disaster relief, then we may, using our professional judgment, determine whether the disclosure is in your best interest.
We may use or disclose your PHI when required to do so by state or federal law.
We may use and disclose your PHI for public health activities that are permitted or required by law. For example, we may use and disclose information for the purpose of preventing or controlling disease, injury, or disability. We may also disclose your PHI to a health oversight agency for activities authorized by law, such as: audits; investigations; inspections; licensure or disciplinary actions; or civil, administrative, or criminal proceedings or actions.
Where permitted by law, we may use your PHI to communicate with you about health-related products, benefits and services, and payment for those products, benefits and services that we provide or include in our benefits plan. We may use your PHI to communicate with you about treatment alternatives that may be of interest to you. These communications may include information about health care providers in our networks, about replacement of or enhancements to your health plan, and about health-related products or services that are available only to our members that add value to our benefit plans.
We may disclose your PHI to a government authority that is authorized by law to receive reports of abuse, neglect, or domestic violence.
We may, when necessary, disclose your PHI to avert a serious or imminent threat to your health or safety or the health or safety of others.
We may disclose limited information to a law enforcement official concerning the PHI of a suspect, fugitive, material witness, crime victim or missing person. We may also disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process. Under limited circumstances (such as a court order, warrant or grand jury subpoena) we may also disclose your PHI to law enforcement officials.
. We may disclose PHI to a coroner or medical examiner for purposes of identifying a deceased person, determining a cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We also may disclose, as authorized by law, information to funeral directors so that they may carry out their duties. Further, we may disclose PHI to organizations that handle organ, eye, or tissue donation and transplantation.
We may disclose your PHI to researchers when an Institutional Review Board or privacy board has: (1) reviewed the research proposal and established protocols to ensure the privacy of the information; and (2) approved the research.
We may disclose the PHI of armed forces personnel to military authorities under certain circumstances. We may disclose to authorized federal officials any PHI required for lawful intelligence, counterintelligence and other national security activities.
We may disclose the PHI of inmates of a correctional institution to the correctional institution or to a law enforcement official for: (1) the institution to provide health care; (2) the inmate’s health and safety and the health and safety of others; or (3) the safety and security of the correctional institution.
We may disclose your PHI to your group health plan to allow the performance of plan administration functions.
We may disclose your PHI to comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.
We may disclose your PHI to your group health plan’s sponsor to allow the performance of plan administration functions. Please see your plan documents for a full explanation of the limited uses and disclosures the sponsor may make of your PHI to administer your plan.

Disclosures of PHI

The following is a description of disclosures that we are required by law to make:

We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Rule.
We are required to provide you with your PHI upon request, as described below in the “Individual Rights” section of this notice. We are also required to provide you with the PHI of any individual on whose behalf you are acting as a personal representative. 

Your authorization is required for us to use and/or disclose your PHI in any situation not listed in the previous section. We may not use and/or disclose your PHI without your written authorization for any reason except those described in this notice. You may give us a written authorization to use your PHI or to disclose it to anyone you specify. If you give us this authorization, you may revoke it in writing at any time, except to the extent that action has already been taken in reliance upon the authorization.

  • If we maintain or receive psychotherapy notes about you, most disclosures of these notes require your authorization.
  • To the extent (if any) that we might use or disclose your PHI for our fundraising practices, we will provide you with the ability to opt out of future fundraising communications.
  • Most (but not all) uses and disclosures of your PHI for marketing purposes and disclosures that constitute a sale of PHI require your authorization.

You can obtain a copy of our authorization form by contacting us.

Your Rights

You have certain rights related to your PHI.

You have the right to inspect and obtain copies of your PHI that we maintain. This may include an electronic copy in certain circumstances if requested in writing. To request to inspect and copy your PHI, you must complete and sign a form available by contacting us. For the full digital copy with more information regarding your rights to inspect and copy your PHI, view  this document. For a Spanish version, view  this document.

We may deny your request to inspect and copy your PHI in certain limited circumstances. For more information regarding inspecting and copying your PHI, please read the full digital copy of this form. If you are denied access to your information, you may request that the denial be reviewed. A licensed health care professional chosen by us will review your request and the denial.

You have the right to request that we amend (make changes to) your PHI. Your request must clearly state the information to be amended and the reasons for doing so. All requests must be in writing using a form obtained by calling or writing to us. To request to a copy of this form, please contact us.

We reserve the right to deny your request. In the event your request is denied, a written explanation of the reasons for denial will be provided to you. You may respond to our denial by filing a written statement of disagreement. If we approve your request to amend the information, we will make reasonable efforts to inform others of the amendment and to include the changes in any future disclosures. For the full digital copy with more information regarding your rights to request an amendment of your PHI, please read  the digital copy of this document.

You have the right to request that we place additional restrictions on our use and/or disclosure of your PHI for treatment, payment or health care operations. We are not required to agree to any additional restrictions; however, if we do, we will abide by those restrictions (except in emergency situations). To request additional restrictions, you must complete and sign a form available by contacting us.

You have the right to request that we communicate with you confidentially about your PHI by alternative means and/ or to an alternative location. Your request must provide the alternative means and/or location for communicating your PHI with you and clearly state that failure to do so could endanger your physical safety. To request confidential communications, you must complete and sign a form available by contacting us.
You have the right to receive a summary of all instances in which we disclosed your PHI for purposes other than treatment, payment, health care operations and certain other activities. This accounting will be provided to you within 60 days of our receipt of your request, unless we notify you in writing that a 30-day extension is needed. If you make a request more than once in a 12-month period, we may charge a reasonable, cost-based fee for additional copies. All requests must be in writing on the designated Blue Cross and Blue Shield of Nebraska form. You must complete and sign the form before we can process your request. To request this form or for more information, contact us.

You are entitled to receive this notice in paper form. To do so, please contact us. For the full digital copy, view  Notice of Privacy Practices. For a Spanish version, view  Aviso de Prácticas de Privacidad.

In the event of a breach of your unsecured PHI, we will provide you notification of such a breach as required by law or where we otherwise deem appropriate.

What are important things you should consider before authorizing a third-party app to retrieve your health care data?  

It is important for you to take an active role in protecting your health information. Knowing what to look for when choosing an app can help you make more informed decisions. You should look for an easy-to-read privacy policy that clearly explains how the app will use your data. If an app does not have a privacy policy, you should not use the app.  

You should consider:

  • What health data will this app collect? Will this app collect non-health data from my device, such as my location? 
  • Will my data be stored in a de-identified or anonymized form?  
  • How will this app use my data?  
  • Will this app disclose my data to third parties?  
    • Will this app sell my data for any reason, such as advertising or research?  
    • Will this app share my data for any reason? If so, with whom? For what purpose?  
  • How can I limit this app’s use and disclosure of my data?  
  • What security measures does this app use to protect my data?  
  • What impact could sharing my data with this app have on others, such as my family members?  
  • How can I access my data and correct inaccuracies in data retrieved by this app?  
  • Does this app have a process for collecting and responding to user complaints?  
  • If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data?
    • What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?  
  • How does this app inform users of changes that could affect its privacy practices?  

If the app’s privacy policy does not clearly answer these questions, you should reconsider using the app to access your health information. Health information is very sensitive information, and you should be careful to choose apps with strong privacy and security standards to protect it. 

What should you consider if you are part of an enrollment group?  

You may be part of an enrollment group where you share the same health plan as multiple members of your tax household. Often, the primary policy holder and other members, can access information for all members of an enrollment group unless a specific request is made to restrict access to member data. If you share a tax household but do not want to share an enrollment group, you can enroll individual household members into separate enrollment groups, even while applying for Exchange coverage and financial assistance on the same application; however, this may result in higher premiums for the household and some members, (i.e. dependent minors, may not be able to enroll in all QHPs in a service area if enrolling in their own enrollment group) and in higher total out-of-pocket expenses if each member has to meet a separate annual limitation on cost sharing (i.e., Maximum Out-of-Pocket (MOOP)). 

Complaints

If you believe your privacy rights have been violated, you may file a written complaint with us or you may submit a written complaint with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

You can receive a copy of our complaint form by contacting us. We will respond to your complaint within 60 days of receipt of the form. All complaints must be in writing using the designated Blue Cross and Blue Shield of Nebraska form.

Oversight responsibilities of the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC)

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy. OCR protects your rights by:

  • Teaching health and social service workers about civil rights laws, conscience and religious freedom laws, health information privacy, and patient safety confidentiality laws.
  • Educating communities about civil rights, conscience and religious freedom rights, and health information privacy rights.
  • Investigating civil rights, conscience and religious freedom, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and taking action to correct problems.
Source: HHS.gov

The FTC is the only federal agency with both consumer protection and competition jurisdiction in broad sectors of the economy. The FTC pursues vigorous and effective law enforcement; advances consumers’ interests by sharing its expertise with federal and state legislatures and U.S. and international government agencies; develops policy and research tools through hearings, workshops, and conferences; and creates practical and plain-language educational programs for consumers and businesses in a global marketplace with constantly changing technologies. FTC’s work is performed by the Bureaus of Consumer Protection, Competition and Economics. That work is aided by the Office of General Counsel and eight regional offices.

Source: FTC.gov/About-FTC

To learn more about filing a complaint with OCR under HIPAA, visit:  
https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Individuals can file a complaint with OCR using the OCR complaint portal:
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf  

Individuals can file a complaint with the FTC using the FTC complaint assistant: 
https://reportfraud.ftc.gov/#/